As worms and other exploits continue to blast through holes in vulnerable software, driving up enterprise cleanup costs threefold annually, some folks with pull in the information security industry are starting to talk more about government regulation.
The argument that market forces should drive changes in the private sector, most relevantly to the development of secure software, may slowly be doing an about-face as thought leaders begin talking about market failure leading to government intervention.
"I went around saying that regulation was a bad thing because the government was stupid and would do it badly," said former cybersecurity czar Richard Clarke at last week's RSA Conference. "But the thing about regulation is that there was always a footnote -- like, unless there's market failure, we don't want regulation. If the market doesn't cause voluntary processes [to change], then government gets involved."
Last year's malware mess created by the Slammer, Blaster and Sobig worms caused damage expenses to triple year over year. Clarke predicts 2004 won't be any better.
"Maybe  wasn't market failure, but if it wasn't, I need to know what is," Clarke said.
Ironically, regulation has crept onto the information security landscape as HIPAA, Gramm-Leach-Bliley and Sarbanes Oxley have caused C-level executives to take notice of IT security policies, processes and technology. Failure to comply could cost a lofty toll that includes imprisonment.
There are, however, noteworthy arguments against government intervention, the primary example being the shambles of the government's own security house. The General Accounting Office, for example, regularly hands out failing grades to the fed on the state of its cybersecurity.
"The federal government should be the model, but it continues to be the model of how not to do it," Clarke said, adding that it should be the role of the government to stimulate security by funding projects to develop secure code.
"It should not be beyond the capabilities of the United States to develop secure software," Clarke said. "If we make it as important as the Moon project or the Manhattan Project, we could [have secure code], and require once we had it, that vital parts of the economy use it."
It takes time to improve infrastructure security because legacy systems were not designed for current threat models, said Scott Charney, chief strategist for Trustworthy Computing at Microsoft. "We're in a tough period because we require major infrastructure changes. We do need to be careful that we don't go down the road of not following best practices and freeze out product development [via regulation].
While market forces fail on some levels, they stand a chance in some markets. The market failed with Internet service providers, for example, Clarke said. Most ISPs have done next to nothing with regard to security despite the specter of regulation, Clarke said.
However, market forces may be winning in the financial services market. Financials are contemplating their own set of standards for software and procurement, a form of self-regulation, Clarke said.
"Financials say they want more secure products. They are coming up with standards and are taking them to the software industry and saying 'Live up to these or we won't buy your next new product,'" Clarke said. "That's a form of regulation. Those are market forces." SearchSecurity.com's exclusive RSA Conference 2004 coverage